Takhala tikutsatira mutu wogwiritsa ntchito systemd muzotengera kwa nthawi yayitali. Kubwerera ku 2014, injiniya wathu wachitetezo a Daniel Walsh adalemba nkhani , ndipo patapita zaka zingapo - wina, amene amatchedwa , mβmene ananena kuti zinthu sizinali bwino. Makamaka, adalemba kuti "mwatsoka, ngakhale zaka ziwiri pambuyo pake, ngati mutsegula google "Docker system", chinthu choyamba chomwe chimabwera ndi nkhani yake yakale yomweyi. Ndiye nthawi yakwana yoti tisinthe china chake. β Kuwonjezera apo, takambirana kale .
Mβnkhaniyi tiona zimene zasintha mβkupita kwa nthawi komanso mmene Podman angatithandizire pankhaniyi.
Pali zifukwa zambiri zoyendetsera systemd mkati mwa chidebe, monga:
- Multiservice containers - anthu ambiri amafuna kutulutsa ntchito zawo zingapo pamakina enieni ndikuwayendetsa m'mitsuko. Zingakhale bwino, ndithudi, kuswa mapulogalamuwa kukhala ma microservices, koma si onse omwe akudziwa momwe angachitire izi kapena alibe nthawi. Chifukwa chake, kugwiritsa ntchito mapulogalamu monga mautumiki oyambitsidwa ndi systemd kuchokera pamafayilo amtundu ndikomveka bwino.
- Mafayilo a Systemd Unit - Ntchito zambiri zomwe zikuyenda mkati mwazotengera zimamangidwa kuchokera pamakina omwe kale ankagwiritsidwa ntchito pamakina enieni kapena akuthupi. Mapulogalamuwa ali ndi fayilo ya unit yomwe idalembedwera izi ndipo imamvetsetsa momwe iyenera kuyambitsidwira. Chifukwa chake ndibwino kuyamba ntchito pogwiritsa ntchito njira zothandizira, m'malo mobera init service yanu.
- Systemd ndi woyang'anira ndondomeko. Imayang'anira ntchito (kuzimitsa, kuyambitsanso ntchito, kapena kupha njira za zombie) kuposa chida china chilichonse.
Izi zati, pali zifukwa zambiri zosayendetsa systemd muzotengera. Chachikulu ndichakuti systemd/journald imayang'anira zotulutsa, ndi zida monga kapena yembekezerani kuti zotengerazo zilembe zolemba mwachindunji ku stdout ndi stderr. Chifukwa chake, ngati mukuyenera kuyang'anira zotengera pogwiritsa ntchito zida zoyimba ngati zomwe zatchulidwa pamwambapa, muyenera kuganizira mozama kugwiritsa ntchito zida zokhazikitsidwa ndi systemd. Kuphatikiza apo, opanga ma Docker ndi Moby nthawi zambiri akhala akutsutsa kwambiri kugwiritsa ntchito systemd muzotengera.
Kubwera kwa Podman
Ndife okondwa kulengeza kuti zinthu zapita patsogolo. Gulu lomwe limayang'anira zotengera ku Red Hat lidaganiza zopanga . Iye ali ndi dzina ndipo imapereka mawonekedwe ofanana a mzere (CLI) monga Docker. Ndipo pafupifupi malamulo onse a Docker amatha kugwiritsidwa ntchito ku Podman mwanjira yomweyo. Nthawi zambiri timachita masemina, omwe tsopano amatchedwa , ndipo slide yoyamba imafuna kulembedwa: alias docker=podman.
Anthu ambiri amachita izi.
Ine ndi Podman wanga sititsutsana ndi zotengera zokhazikitsidwa ndi systemd. Kupatula apo, Systemd ndiye njira yomwe imagwiritsidwa ntchito kwambiri pa Linux init subsystem, ndipo kusailola kuti igwire bwino ntchito m'mitsuko kumatanthauza kunyalanyaza momwe masauzande a anthu amazolowera zotengera.
Podman amadziwa zoyenera kuchita kuti systemd igwire ntchito bwino mumtsuko. Imafunika zinthu monga kukwera tmpfs pa /run ndi /tmp. Amakonda kukhala ndi malo "osungidwa" ndipo amayembekeza zilolezo zolembera ku gawo lake la kalozera wamagulu komanso ku /var/log/journald foda.
Mukayambitsa chidebe chomwe lamulo loyamba ndi init kapena systemd, Podman imangosintha tmpfs ndi Cgroups kuonetsetsa kuti systemd ikuyamba popanda mavuto. Kuti mulepheretse izi, gwiritsani ntchito njira --systemd=false. Chonde dziwani kuti Podman imangogwiritsa ntchito systemd ikawona kuti ikufunika kuyendetsa dongosolo la systemd kapena init.
Nachi kagawo ka bukhuli:
munthu podman run
...-systemd=zoona|zabodza
Kuyendetsa chidebe mu systemd mode. Yathandizidwa mwachisawawa.
Ngati muyendetsa dongosolo la systemd kapena init mkati mwa chidebe, Podman adzakonza malo okwera a tmpfs muzolemba zotsatirazi:
/run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
Komanso chizindikiro choyimitsa chokhazikika chidzakhala SIGRTMIN +3.
Zonsezi zimalola kuti systemd iziyenda mu chidebe chotsekedwa popanda zosintha zilizonse.
ZINDIKIRANI: systemd ikuyesera kulembera ku cgroup file system. Komabe, SELinux imalepheretsa zotengera kuchita izi mwachisawawa. Kuti muyambitse kulemba, yambitsani container_manage_cgroup boolean parameter:
setsebool -P container_manage_cgroup zoona
Tsopano yang'anani momwe Dockerfile ikuwonekera poyendetsa systemd mu chidebe pogwiritsa ntchito Podman:
# cat Dockerfile
FROM fedora
RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
Ndizomwezo.
Tsopano tikusonkhanitsa chidebe:
# podman build -t systemd .
Timauza SELinux kuti ilole systemd kusintha kasinthidwe ka Cgroups:
# setsebool -P container_manage_cgroup true
Anthu ambiri, mwa njira, amaiwala za sitepe iyi. Mwamwayi, izi zimangofunika kuchitidwa kamodzi ndipo zosinthazo zimasungidwa mutatha kuyambitsanso dongosolo.
Tsopano tikungoyambitsa chidebe:
# podman run -ti -p 80:80 systemd
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.
Welcome to Fedora 29 (Container Image)!
Set hostname to <1b51b684bc99>.
Failed to install release agent, ignoring: Read-only file system
File /usr/lib/systemd/system/systemd-journald.service:26 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Slices.
β¦
[ OK ] Started The Apache HTTP Server.
Ndi zimenezotu, utumiki ukuyenda:
$ curl localhost
<html xml_lang="en" lang="en">
β¦
</html>
ZINDIKIRANI: Osayesa izi pa Docker! Kumeneko muyenera kuvina ndi maseche kuti mutsegule zida zamtunduwu kudzera pa daemon. (Minda ndi mapaketi owonjezera adzafunika kuti zonsezi zizigwira ntchito bwino ku Docker, kapena ziyenera kuyendetsedwa mu chidebe chamwayi. Kuti mumve zambiri, onani .)
Zina zingapo zabwino za Podman ndi systemd
Podman imagwira ntchito bwino kuposa Docker mumafayilo amtundu wa systemd
Ngati zotengera ziyenera kuyambika pomwe makinawo ayamba, ndiye kuti mutha kungoyika malamulo oyenerera a Podman mu fayilo ya systemd unit, yomwe imayamba ntchito ndikuyiyang'anira. Podman amagwiritsa ntchito mtundu wokhazikika wa fork-exec. Mwanjira ina, njira zamachidebe ndi ana a Podman process, kotero systemd imatha kuwunika mosavuta.
Docker amagwiritsa ntchito mtundu wa seva ya kasitomala, ndipo malamulo a Docker CLI amathanso kuyikidwa mwachindunji mufayilo yamayunitsi. Komabe, kasitomala wa Docker akalumikizana ndi daemon ya Docker, (makasitomala) imangokhala njira ina yosinthira stdin ndi stdout. Komanso, systemd sadziwa za kulumikizana kwa kasitomala wa Docker ndi chidebe chomwe chimayang'aniridwa ndi daemon ya Docker, chifukwa chake, mkati mwachitsanzo ichi, systemd sichingayang'anire ntchitoyo.
Kuyambitsa systemd kudzera pa socket
Podman imagwira ntchito kudzera pa socket molondola. Chifukwa Podman amagwiritsa ntchito mtundu wa fork-exec, imatha kutumiza socket ku njira zake zotengera ana. Docker sangathe kuchita izi chifukwa amagwiritsa ntchito mtundu wa kasitomala.
Ntchito ya varlink yomwe Podman amagwiritsa ntchito kuti alankhule ndi makasitomala akutali kupita ku makontena amayatsidwa kudzera pa socket. Phukusi la cockpit-podman, lolembedwa mu Node.js ndi gawo la polojekiti ya cockpit, limalola anthu kuti azilumikizana ndi zotengera za Podman kudzera pa intaneti. Daemon ya pa intaneti yomwe ikuyendetsa cockpit-podman imatumiza mauthenga ku varlink socket yomwe systemd imamvetsera. Systemd kenako imatsegula pulogalamu ya Podman kuti ilandire mauthenga ndikuyamba kuyang'anira zotengera. Kutsegula systemd pa socket kumathetsa kufunikira kwa daemon yomwe ikuyenda nthawi zonse mukakhazikitsa ma API akutali.
Kuphatikiza apo, tikupanga kasitomala wina wa Podman wotchedwa podman-remote, yemwe amagwiritsa ntchito Podman CLI yomweyo koma amayitanitsa varlink kuti aziyendetsa zotengera. Podman-remote imatha kuthamanga pamwamba pa magawo a SSH, kukulolani kuti muzilumikizana motetezeka ndi zotengera pamakina osiyanasiyana. M'kupita kwa nthawi, tikukonzekera kuthandizira ma podman-remote kuthandizira MacOS ndi Windows pamodzi ndi Linux, kotero kuti opanga pamapulatifomu amatha kuyendetsa makina a Linux omwe ali ndi Podman varlink akuthamanga ndikukhala ndi chidziwitso chokwanira kuti zotengera zikuyenda pamakina akomweko.
SD_NOTIFY
Systemd imakupatsani mwayi kuti muchedwetse kukhazikitsidwa kwa ntchito zothandizira mpaka ntchito yomwe ikufuna iyambike. Podman atha kutumiza socket ya SD_NOTIFY ku service yosungidwa kuti ntchitoyo idziwitse systemd kuti yakonzeka kugwira ntchito. Ndipo kachiwiri, Docker, yemwe amagwiritsa ntchito mtundu wa kasitomala-seva, sangathe kuchita izi.
Mu mapulani
Tikukonzekera kuwonjezera lamulo la podman kupanga systemd CONTAINERID, yomwe imapanga fayilo ya systemd unit kuti isamalire chidebe china chomwe chatchulidwa. Izi ziyenera kugwira ntchito m'mizu komanso yopanda mizu pazotengera zopanda mwayi. Tawonanso pempho la nthawi ya OCI-compatible systemd-nspawn.
Pomaliza
Kuthamanga systemd mu chidebe ndichofunika chomveka. Ndipo chifukwa cha Podman, pamapeto pake timakhala ndi nthawi yoyendetsera chidebe yomwe simasemphana ndi systemd, koma imapangitsa kuti ikhale yosavuta kugwiritsa ntchito.
Source: www.habr.com